6 Questions Districts Should Ask Companies to Protect Student Data

With a recent flood of student data privacy laws and providers of technology solutions, public school districts have found themselves scrambling to put compliance measures in place. As an education law attorney and chair of Fagen Friedman & Fulfrost’s eMatters law practice dedicated to education and technology, I know this process can be challenging for school districts. Thankfully, there are resources available to help.

When a school district is the intermediary in providing student access to an online educational site, the consent requirements become the responsibility of the school district.

To ensure school districts are meeting their obligations, it is helpful to have some background on the legal guidelines for protecting student data privacy. The Children’s Online Privacy Protection Act, or COPPA, is a comprehensive set of federal laws requiring mechanisms be put in place to protect children’s privacy online. COPPA applies to operators of commercial websites and online services directed to children under the age of 13 that collect, use or disclose personal information from children; operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13; and websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children (collectively referred to as operators).

COPPA requires operators to:

Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children

Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children

Give parents the choice of consenting to the site operator's collection and internal use of a child's information, but prohibiting the site operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents)

Provide parents access to their child's personal information to review and/or have the information deleted

Give parents the opportunity to prevent further use or online collection of a child's personal information

Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security

Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.

These requirements typically apply to the operator of an online educational site. However, when a school district is the intermediary in providing student access to an online educational site, the consent requirements become the responsibility of the school district. Failure to do so could result in significant legal liability for a school district if a student's privacy is compromised.

In response to the COPPA amendments, school districts are encouraged to post clear and comprehensive online privacy policies. As a best practice, it is recommended by the Federal Trade Commission that school districts provide parents with notice of the websites and online services whose collection of student data the district has consented to on behalf of the parent, and that school districts make the operators direct notices regarding information practices available to parents.

School districts should also be proactive in asking key questions from online operators and sites made available to students, like:

What type of information does the operator collect from students?

Is the information used for commercial purposes? (If so, a school cannot consent on behalf of the parent.)

Is the information shared with third parties?

Are parents able to view and delete information collected from students? (If so, a school cannot consent on behalf of the parent.)

What security measures does the site operator take?

What are site operators data retention policies?

The California Education Code requires school districts to provide a safe school environment, and school districts universally want to protect student privacy. However, keeping up with the state and federal privacy laws may prove challenging for Operators and school districts. I hope these recommendations and resources will guide Operators, school districts and parents to make informed decisions to incorporate technology into the educational process in a way that is both beneficial and safe for our children.

With a recent flood of student data privacy laws and providers of technology solutions, public school districts have found themselves scrambling to put compliance measures in place. As an education law attorney and chair of Fagen Friedman & Fulfrost’s eMatters law practice dedicated to education and technology, I know this process can be challenging for school districts. Thankfully, there are resources available to help.

When a school district is the intermediary in providing student access to an online educational site, the consent requirements become the responsibility of the school district.

To ensure school districts are meeting their obligations, it is helpful to have some background on the legal guidelines for protecting student data privacy. The Children’s Online Privacy Protection Act, or COPPA, is a comprehensive set of federal laws requiring mechanisms be put in place to protect children’s privacy online. COPPA applies to operators of commercial websites and online services directed to children under the age of 13 that collect, use or disclose personal information from children; operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13; and websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children (collectively referred to as operators).

COPPA requires operators to:

Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children

Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children

Give parents the choice of consenting to the site operator's collection and internal use of a child's information, but prohibiting the site operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents)

Provide parents access to their child's personal information to review and/or have the information deleted

Give parents the opportunity to prevent further use or online collection of a child's personal information

Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security

Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.

These requirements typically apply to the operator of an online educational site. However, when a school district is the intermediary in providing student access to an online educational site, the consent requirements become the responsibility of the school district. Failure to do so could result in significant legal liability for a school district if a student's privacy is compromised.

In response to the COPPA amendments, school districts are encouraged to post clear and comprehensive online privacy policies. As a best practice, it is recommended by the Federal Trade Commission that school districts provide parents with notice of the websites and online services whose collection of student data the district has consented to on behalf of the parent, and that school districts make the operators direct notices regarding information practices available to parents.

School districts should also be proactive in asking key questions from online operators and sites made available to students, like:

What type of information does the operator collect from students?

Is the information used for commercial purposes? (If so, a school cannot consent on behalf of the parent.)

Is the information shared with third parties?

Are parents able to view and delete information collected from students? (If so, a school cannot consent on behalf of the parent.)

What security measures does the site operator take?

What are site operators data retention policies?

The California Education Code requires school districts to provide a safe school environment, and school districts universally want to protect student privacy. However, keeping up with the state and federal privacy laws may prove challenging for Operators and school districts. I hope these recommendations and resources will guide Operators, school districts and parents to make informed decisions to incorporate technology into the educational process in a way that is both beneficial and safe for our children.